¨Traditional¨ cyber-crime activities such as phishing typically require an attacker to compromise one or more victim computer systems (either individually or via mass auto-rooters) and establish a fake or fraudulent web site. Content would then be advertised to victims either by mass emailing or more targeted marketing (spear phishing), often through other compromised computer systems and botnets. The computer systems hosting the malicious content would be identified either by public DNS name or directly by IP address embedded within the email lure messages. These types of scams are identified relatively quickly by security professionals and can be quickly shut down. As the average time of survival was reduced for these phishing websites, criminals began to add additional layers of protection, such as server address obfuscation or utilize groups of proxy servers to redirect network. Such systems are limited in scale and can still be tracked down fairly quickly with international co-operation. We are now seeing the next evolutionary step, the fast-flux network. In the end, it’s all about Return on Investment (ROI) for the criminals, and fast-flux service networks provide a reliable way to maximize the returns on their criminal activities for relatively low effort. Fast-flux service networks offer three major advantages to operators of Internet based criminal activity.

The first advantage is found in both legitimate and criminal operations: simplicity. Only one suitably powerful backend server (or mothership) host is needed to serve the master content and DNS information. The published URLs (such as via phishing lures) point to front end proxy redirectors, which then transparently redirect client connection requests to the actual malicious back end server or servers. This makes the content delivery infrastructure much simpler for criminals to manage. Instead of having to build (or compromise) and maintain many servers to host their phishing or malicious websites, they now require only a small number of well managed core systems to host their scam sites and malware, whilst other attackers can specialize in building and operating reliable fast-flux service networks to deliver their malicious content.

The second advantage is that front-end nodes are disposable criminal assets that can offer a layer of protection from ongoing investigative response or legal action. When a security professional is responding to an incident and attempts to track down a malicious website hosted via a fast-flux service network, they typically recover only a handful of IP addresses corresponding to disposable front-end nodes which may be spread across multiple jurisdictions, continents, regional languages and time zones, which further complicates the investigation. Because of the proxy redirection layer, an electronic crimes investigator or incident responder will often find no local evidence of the hosting of malicious content on compromised front end systems, and traffic logging is usually disabled so audit trails are also limited.

Thirdly, fast-flux service networks extend the operational lifespan of the critical backend core servers that are hidden by the front-end nodes. It can take much longer to identify and shut down these core backend servers due to the multiple layers of redirection – particularly if these nodes are hosted in territories with lax laws and criminal-friendly ‘bullet-proof’ hosting services. Very few operational changes have been observed in live backend servers during the extensive monitoring of fast-flux service network cores, which is a testament to the success of this operational model.